It took me a long time to be persuaded to use a password manager. I was always a notebook and pen type of guy when remembering passwords, and the paranoid part of me thought there was probably a backdoor in these apps that sends the passwords back to the developers.

Yes, I wear a tinfoil hat.

But as my passwords got longer and more sophisticated, writing them down on paper became much more difficult and impractical. I mean, @R5g9_jMnDp23@_12Xq@ doesn’t exactly roll off the tongue does it? So I switched to a password manager, and I was instantly hooked with KeePass.

But First……

Most of the plugins only work with KeePass version 2. Version 1 is an older release and so only a small selection of the plugins will work with this. So if you really want to use plugins, I highly recommend you upgrade to version 2. You will have to export the password database from version 1 first then import it into version 2. It’s very easy and only takes a couple of minutes.

Secondly, installing plugins is very easy. Each plugin will either come as a zip file or as a PLGX file. “Installing” only involves exiting KeePass and then placing the plugin in the same folder as the keepass.exe file (you’ll find this by browsing to C:\Program Files (x86)\KeePass Password Safe\). Zip files should be unzipped and all of the folder’s contents placed in the keepass.exe location. PLGX files should also be placed in the same location. No need to click on them. KeePass takes care of all of that.

When you’re ready to start using KeePass again, double-click the keepass.exe icon in the KeePass directory to start the program. Don’t use desktop shortcuts or app launchers to launch KeePass. You MUST double-click keepass.exe. You will then see a message on-screen telling you that the plugins are being activated and the program will subsequently open.

Last of all, as far as I am aware, these plugins only work with the Windows version of KeePass. The Mac and Linux versions do not appear to have plugin support, which I hope the developers will make a serious effort to rectify soon.

Now we have all that out of the way, let’s take a look at the plugins.

In life, disasters happen. It’s normal and unavoidable. One thing that you should be doing on a constant basis (preferably daily) to avert potential disasters is backing up everything that lives on your computer’s hard drive. Whether on a removable hard drive, a USB stick, or on cloud storage; it doesn’t matter.

Your password manager is no exception. What if somehow you accidently delete the database? Or it becomes corrupted? Or your hard drive goes on the fritz? Any number of things can happen, which is why this plugin is so invaluable.

Simply configure where you want the database backup to go (obviously not on the same computer as the original database) then click “Backup DB NOW!”. Instantly your database will be copied to the other location. Easy.

It could be said that this is really only for aesthetic value only, but I would also point out another use for having favicons. When you start to build a really big list of website names and URLs, sometimes the mind reacts easier and faster to a graphic than text. Instead of scanning the list and potentially missing the one you want, you could instead see the icon much faster. When you look at my list above, what jumps out at you more? The icon or the text?

After installing this plugin, you will see a new menu option for downloading the favicons. The plugin will then scan your list and download the relevant icons where available. It may have issues with a few sites, in which case try again later. When I tested it, it couldn’t retrieve the favicons for Invoiceable and Pocket.

It used to be that all you needed to secure your online accounts was a simple password. Those days are long gone, and now you need to have ever more sophisticated passwords if you want to beat the likes of hackers and the NSA.

When configuring it, you will be asked to insert your wordlist. So the plugin merely takes the words you give it and jumbles them up to make unique passwords. So find a wordlist online (very easy to find if you Google “wordlists”), and copy/paste them into the provided space. Make sure you have a huge list of unique words, so you get as many different variations of word sequences possible. I would suggest a minimum of 500 words. 1,000 would be better.

One good site for getting words is List Of Random Words. But as I said, Google is bursting with so much more.

The standard interface for KeePass gives you fields for the username, URL, password, and a few other assorted extras. But if you are looking for more flexibility in what you can list for each password entry, then Enhanced Entry View is the one to head to.

EEV gives you fields such as tags, an expiry date field, and plenty of space for notes. It’s a nice plugin to have to expand on what KeePass merely provides as default.

You are probably wondering why you would need an on-screen keyboard. Well, what about this scenario? You are on a computer in an Internet cafe with portable KeePass on a USB stick. How do you know there isn’t keylogging software covertly installed on the computer? Or the same could be said for “friends” and acquaintances hoping to read your email and chat messages.

If it isn’t your keyboard, I would suggest you adopt a policy of “don’t trust it” and assume the keyboard is compromised. That is where Onscreen Keyboard helps out enormously.

When you start KeePass, the keyboard will immediately open, so you can use the mouse or trackpad to click on the keyboard buttons. Take that, keyloggers.

Floating Panel is a link which sits on your desktop, on top of all other windows. It can be dragged with the mouse to wherever you want it to go, and it simply provides you with quick links to open up various aspects of your KeePass Database without actually clicking on the KeePass program itself.

This would be advantageous if, for example, you had lots of windows and apps open. Save time by using Floating Panel instead.

Your email address will not be published. Required fields are marked *

Comment

Name *

Email *

Glenn

June 28, 2017 at 2:47 am

Quick Unlock is a great plugin... you only type a few letters of the beginning or end of your password to unlock your database. If it's incorrect, you have to type the whole p/w. All of those seconds every day really add up!

"One stronger form of password is a word sequence password (also known as a passphrase)." Despite being recommended by XKCD https://xkcd.com/936/ it's now become a really ****BAD**** idea to use passphrases, since hackers use "rainbow tables" with thousands and thousands of common words - combining them with each other and numbers - to try to crack passwords. Really strong passwords that *can't* be guessed this way use lots of numbers, upper and lowercase characters, and punctuation.

The problem isn't using passphrases it's using passphrases composed of randomly selected words. If you use phrases that are common such as out of a book, poem, song, or composed of an English sentence it reduces security. If you can manage to pick 5 completely random words from the dictionary (which humans are generally really bad at) than you will be better off than a random string.

English keyboard has roughly 57 characters available so a random string of 20 characters would have 57^20 = 1.3e35 combinations

The English dictionary has ~170,000 words so 4 words would yield
170,000^4 = 8.4e20 combinations

Albeit this is significantly lower but still uncrackable assuming the password is stored properly. It would still take 2170+ years to guess 8.4e20 combinations at 350 billion guesses per second (which is only obtainable with significant computing power and a weak hash function)

The problem is that people won't pick from ~170,000 words, they'll pick from <5,000 more common words, and wind up with significantly fewer than 8.4e20 combinations. They'll wind up with words that are definitely in the "rainbow tables" that hackers use to pick passwords.
Which is more likely to be used as a password: "myprettyponyrunsfast" or "skacromulentumamizeugmaschism"?
Choosing a password by combining words is likely to entice users to make short passwords from common words, not secure passwords that will take centuries to crack. How many password managers like Roboform have word-phrase generators, and how many user random characters? Roboform? KeePass? LastPass? Thought so.

The other problem with having long, random passwords is it leads people to do other stupid things else risk being locked out of their accounts. They're either going to have a weak Keepass password, or do something like email/write down their passwords so they can use them when they don't have access to their password db. How do you access your Amazon account or email on your phone? You're probably going to make your email password something you can get into easily (assuming you're the average user). Most other passwords can be reset with your email and a quick search for personal info on the web.

My point is, it doesn't really matter how secure a password is because it's not the password that's the weakest link. There is a whole chain of weaker links before the password.

Re-using passwords across sites is a much worse offense than anything else. All it takes is one site storing your password in plain-text and cracking doesn't matter.

Anonymous

January 20, 2016 at 4:45 pm

I have KeePass for Android on my tablet and phone, and DropBox to sync the database. This way I **never** re-use a password, and I have no worries about being locked out - the password database is on my desktop, laptop, tablet, and phone, and I always have a secure password generator on each device.
The people whose passwords get hacked are the ones who don't give a damn. I prefer to keep myself safe.
The KeePass-sniffing trojan has me worried, so I'm upgrading my antivirus on each device as a New Year's resolution.

As for tricky websites (and it seems a lot of them are getting trickier in the name of security), you can always use the notes section to record things like security questions, etc. You can also put other information there; I use it for my Amex card number. The notes are encrypted along with everything else.

I use KeePass as my safety deposit box for key sites. For most sites, like MUO, I use the Firefox password manager which has almost 1000 sites I logged into over the past decade.

I've tried Keepasss more than once and gave up in despair, returning to Lastpass each time. Seems 'everytime' a site requires anything other than user name and password, Keepass trips up! And Keepasss' own user instructions are near worthless - sure, it tells you the basics, but nothing at all about alternatives/options when things don't work perfectly.

I still like the idea o keeping my log-in credentials on my computer and not in 'the cloud' like with Lastpass. Would be real nice if MUO could write a tutorial article - including tips on dealing with 'tricky' websites.

Too often, I find that websites that deviate from the usual "username / password" arrangement (such as asking for email instead) -- will trip up Keepass -- causing it to fail to populate the fields. I am sure there are ways to fix that -- but I can't seem to find much documentation of what to do when things don't work.

Which websites are you unable to use KeePass? The only services that don't work for KeePass is Battle.net and Humble Bundle because they're using some sort of TOTP from an enigma machine that the Spanish Inquisition obtained.

bob

April 27, 2016 at 3:52 pm

Solution 1 (simpler):

- Store the email address in the username field on your KeePass entry for the site.

Solution 2 (fancier):

Locate your entry on KeePass, then open the 'Edit Entry' window:

- Advanced (tab) > Add (button):
In the 'Name' field type: email
In the 'Value' field type your email address.

Solution 2 allows you to have both a username and an email address in that KeePass entry, and the auto-type will work correctly.
This can be easily extended/altered to include other information: just create another custom field (like above), and include its name in the custom auto-type sequence, using the {S:} syntax, just like in the example above.

" When you look at my list above, what jumps out at you more? The icon or the text?"
The text. Because it tells me the name of the site. Also, for somebody with poor eyesight it is easier to differentiarte between similar words that similar icons. It would take me a very long time to learn what site each icon represents. Favicons may be useful when one has 10 or 20 bookmarks. When one has thousands, no way.

While the text name of BlueTree, Copy and Invoicable is distinctive, all three favicons look the same. Can't use icons to pick a site.
Why is the icon for Firefox Hello an 'm'? Not very intuitive. In fact, not intuitive at all.

"Favicons may be useful when one has 10 or 20 bookmarks. When one has thousands, no way."
A database with 1000s of passwords? Undoubtedly some people have those, but, also undoubtedly, will be a tiny minority. So they are not representative of the KeePass user community. But even looking at that handful, I'll bet that looking for a specific password by reading text is no piece of cake either, no way. I'll bet they would still go for favicons.

I was wanting to include that one in the article and I spent hours trying to get it to work. In the end, I stopped as I was about to throw the monitor out of the window. It's not easy configuring that one.

Mark O'Neill is a freelance journalist and bibliophile, who has been getting stuff published since 1989. For 6 years, he was the Managing Editor of MakeUseOf. Now he writes, drinks too much tea, arm-wrestles with his dog, and writes some more. You can find him on Twitter and Facebook.